Unix/Linux Go Back    


Security Discuss UNIX and Linux computer and network security, cyber security, cyber attacks, IT security, and more.

A little iptables help for Guest Access

Security


Tags
iptables, solved

Closed    
 
Thread Tools Search this Thread Display Modes
    #1  
Old Unix and Linux 09-14-2015   -   Original Discussion by mcaramb
mcaramb mcaramb is offline
Registered User
 
Join Date: Sep 2015
Last Activity: 14 September 2015, 12:00 PM EDT
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
A little iptables help for Guest Access

Hey folks,

I've setup a wifi guest network on an E2500 router running TomatoUSB, that I only want to have internet access provided for.

Did this by creating a separate bridge (br1), then putting it in it's own VLAN, created a virtual wifi interface, then set some firewall rules to isolate that network from the primary wifi network.

However, this router isn't directly connected to a modem on the WAN, it connects to another router on my local LAN (192.168.0.1) first. I've gotten ambituous and want to isolate out the local lan the other router is part of as well by keeping guests from seeing any of the devices there (except the router and the dns server), but it's not working and I can't figure out why…

here's the details:

br0 (full access wifi, 192.168.22.0)
br1 (guest access wifi, 192.168.23.0)
eth0 (E2500 WAN ip is 192.168.0.245, using 192.168.0.1 as gateway to router on local lan that is connected to modem)

I also use my own custom local dns server which is at 192.168.0.121

(ok, so here's the bit I wrote that isolates the two bridges from seeing each other which works fine)

Code:
iptables -P FORWARD DROP
iptables -A FORWARD -i eth0 -o br0 -j ACCEPT
iptables -A FORWARD -i br0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o br1 -j ACCEPT
iptables -A FORWARD -i br1 -o eth0 -j ACCEPT

(now here's the bit that I hoped would keep the guests out of the 192.168.0.0 subnet, except for the gateway and DNS ips, but it doesn't work)

Code:
iptables -A FORWARD -s 192.168.0.0/24 -o br1 -j DROP
iptables -A FORWARD -i br1 -s 192.168.0.0/24 -j DROP
iptables -A FORWARD -s 192.168.0.1 -o br1 -j ACCEPT
iptables -A FORWARD -i br1 -s 192.168.0.1 -j ACCEPT
iptables -A FORWARD -s 192.168.0.121 -o br1 -j ACCEPT
iptables -A FORWARD -i br1 -s 192.168.0.121 -j ACCEPT

I can still ping and access 192.168.0.0 devices from the guest network Linux

I thought maybe the ordering was the issue, so i tried this as well:

Code:
iptables -P FORWARD DROP
iptables -A FORWARD -i eth0 -o br0 -j ACCEPT
iptables -A FORWARD -i br0 -o eth0 -j ACCEPT
iptables -A FORWARD -s 192.168.0.1 -o br1 -j ACCEPT
iptables -A FORWARD -i br1 -s 192.168.0.1 -j ACCEPT
iptables -A FORWARD -s 192.168.0.121 -o br1 -j ACCEPT
iptables -A FORWARD -i br1 -s 192.168.0.121 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -o br1 -j DROP
iptables -A FORWARD -i br1 -s 192.168.0.0/24 -j DROP
iptables -A FORWARD -i eth0 -o br1 -j ACCEPT
iptables -A FORWARD -i br1 -o eth0 -j ACCEPT

Still no dice...

Any ideas?
Thanks
Mike

Moderator's Comments:
A little iptables help for Guest Access Please use code tags for your code and data, thanks


---------- Post updated at 11:00 AM ---------- Previous update was at 09:35 AM ----------

Nevermind! I figured it out. Also, the way it was written, communication was still happening between the bridges. Replaced all the code with this and now it's correctly blocking all traffic on both between the bridges as well as the local downstream lan..


Code:
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to 192.168.22.1
iptables -I FORWARD -i br1 -m iprange --dst-range 192.168.22.2-192.168.22.254 -j REJECT
iptables -I FORWARD -i br1 -m iprange --dst-range 192.168.0.2-192.168.22.254 -j REJECT


Last edited by vbe; 09-14-2015 at 12:09 PM..
Sponsored Links
Closed

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Linux More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
iptables allow access to one site wa1ed IP Networking 3 03-14-2014 05:30 AM
Why I cannot access internet from Solaris guest using url? jediwannabe Solaris 3 09-21-2013 05:21 PM
cant access certain pages through iptables fw/router sonicx IP Networking 1 12-21-2007 09:04 AM



All times are GMT -4. The time now is 06:28 AM.